One of the ways to increase market share is to build a mousetrap and it increasingly appears that one of the fastest ways to increase market share is to pilfer a company’s plans for a better mousetrap. As reported in the October 18, 2010 online edition of the Kansas City Star, according to the latest edition of the Kroll Annual Global Fraud Report, theft of information and electronic data at global companies has overtaken physical theft of property and goods for the first time. As noted by Kroll, “If fraud were a virus, almost everyone would be slightly ill” with its finding that of the respondents, 88% reported that they had been hit by at least one type of fraud in the past year, a figure broadly similar in every region and consistent with those of previous years. However we were struck by the finding that soft theft has overtaken hard theft as a key concern for companies in the area of fraud.
This year’s study shows that the amount lost by businesses to fraud rose from $1.4m to $1.7m per billion dollars of sales in the past 12 months – an increase of more than 20%. While physical theft of cash, assets and inventory has been the most widespread fraud, by a considerable margin in previous Global Fraud Reports, this year’s findings reveal that theft of information or assets was reported by 27.3% of companies over the past 12 months, up from 18% in 2009. In contrast, reported incidences of theft of physical assets or stock declined slightly from 28% in 2009 to 27.2% in 2010.
According to the 2010 survey, 88% of companies said they had been the victim of at least one type of fraud during the past year. Of the specific countries analyzed China is the top market in which companies suffered fraud with 98% of businesses operating there affected, Colombia ranked second with a 94% incidence of fraud, followed by Brazil with 90%. Information-based industries reported the highest incidence of theft of information and electronic data over the past 12 months; these include financial services (42% in 2010 versus 24% in 2009), professional services (40% in 2010 versus 27% in 2009) and technology, media and telecoms (37% in 2010 versus 29% in 2009).
The Kroll annual survey came on the heels of a notice we recently received about the upcoming release of the Open Source Security Testing Methodology Manual (OSSTMM) v3, which is the first comprehensive security testing methodology manual to gain any ground. The OSSTMM is a peer-reviewed methodology for performing security tests and metrics; test cases are divided into five channels (sections) which collectively test information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters and military bases. Anthony Freed, Managing Director of InfosecIsland called the OSSTMM “a strikingly authoritative outline of security best practices, and will most certainly have an effect on security standards and best practices.”
The OSSTMM is made available at no cost through the Institute for Security and Open Methodologies (ISECOM) a non-profit collaborative community. It is dedicated to providing practical security awareness, research, certification and business integrity. ISECOM provides certification, training support and project support services for non-partisan and vendor-neutral funding of projects and infrastructure and assures you their training programs, standards, and best practices are truly neutral of national or commercial influence.
The example of this theft of business information was made real today by a client who told me that an account had been opened in the company’s name, using fraudulent means, and someone was purchasing big screen televisions. The client only found about the fraud when the company received its first invoice for these fraudulent purchases. This reinforces the fact that compliance encompasses a wide range of areas in a company and the Kroll Annual Survey makes clear that information security should be included.
For more information on the OSSTMM, visit the ISECOM website, here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2010